CCNA Security Packet Tracer Practice SBA v1.2

This CCNA SecurityPacketTracer Skill Based Assessment Practice v1.2 contributed by someone from Royal British Legion Hannover. This post will share the solution for CCNA Security SBA v1.2 and said to be 98% correct by the contributor. I hope it will be a good guideline and benefits all of us. Below is the question and solution for CCNA Security Packet Tracer SBA v1.2

CCNA Security v1.2 PT Practice SA

A few things to keep in mind while completing this activity.
1. Do not use the browser Back button or close or reload any Exam windows during the exam.
2. Do not close Packet Tracer when you are done. It will close automatically.
3. Click the Submit Assessment button to submit your work.

c. Enable password encryption for all clear text passwords in the configuration file.CORP(config)# service password-encryption

d. Configure the console line and all vty lines 0 to 15 with the following requirements:
Note: CORP is already configured with the username CORPADMIN and the secret password Ciscoccnas.
– use the local database for login
– disconnect after being idle for 20 minutesCORP(config)#line consol 0 CORP(config-line)# login local CORP(config-line)# exec-timeout 20 0 CORP(config-line)# line vty 0 15 CORP(config-line)# login local CORP(config-line)# exec-timeout 20 0

e. Disable the CDP protocol only on the link to the Internet router.CORP(config)# interface s0/0/0 CORP(config-if)# no cdp enable

b. Configure the CORP router to accept SSH connections. Use the following guidelines:
Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess.
– domain name is theccnas.comCORP(config)# ip domain-name theccnas.com

c. Configure the CORP router with AAA server-based authentication and verify its functionality:
Note: The AAA server is already configured with RADIUS service, a username CORPSYS and the password LetSysIn. The key for the client to access the AAA server is corpradius.

e. Configure NAT for both inside and dmz network
– Create an object inside-nat with subnet 192.168.1.0/24 and enable the IP addresses of the hosts in the Internal network to be dynamically translated to access the External network using the outside interfaceCORP-ASA(config)# object network inside-nat CORP-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0 CORP-ASA(config-network-object)# nat (inside,outside) dynamic interface CORP-ASA(config-network-object)# end

g. Configure an ACL to allow access to the DMZ servers from the Internet. The ACL will also allow icmp echo-reply traffic from the Internet to enter the CORP-ASA
– Create, apply, and verify an extended named ACL (named OUTSIDE- TO-DMZ) to filter incoming traffic to the CORP-ASA.
The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
1. HTTP traffic is allowed to DMZ Web Svr.CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit tcp any host 10.1.1.2 eq http

5. The ACL should contain five ACEsCORP-ASA(config)# access-group OUTSIDE-TO-DMZ in interface outside

6. Verify ASA configurations. Both Net Admin PC and DMZ Web Svr can access the website www.externalone.com.
Admin PC can access the website www.theccnas.com.
Admin PC can also establish an FTP connection to www.theccnas.com, with the username cisco and the password cisco.

Step 6: Configure ACLs on the CORP Router to Implement the Security Policy.

b. Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet into the CORP router. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):CORP(config)# ip access-list extended INCORP

5. Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the CORP site (209.165.200.240/28).CORP(config-ext-nacl)# permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15

6. Allow echo-reply and host-unreachable traffic from the InternetCORP(config-ext-nacl)# permit icmp any any echo-reply CORP(config-ext-nacl)# permit icmp any any host-unreachable

c. To verify the INCORP ACL, complete the following tests:
– Net Admin PC in the Internal network can access the URL http://www.externalone.com;
– Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the username CORPSYS and password LetSysIn. If the password does not work, you may try the backup username SSHAccess and password ciscosshaccess defined in the local database.
– External User cannot establish an SSH connection to the CORP router (209.165.200.226).

c. Define a traffic class and access list.
– Create an ACL 110 to permit all protocols from the 198.133.219.32/27 network to any destination.Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31 any

f. Verify the ZBF configuration.
– The Admin PC in the Branch office can access the URLs http://www.theccnas.com and http://www.externalone.com.
– The Admin PC in the Branch office can ping the External PC (192.31.7.33).
– External User cannot ping the Admin PC in the Branch office (198.133.219.35).
– The Admin PC in Branch office can establish an SSH connection to the CORP router with the username CORPSYS and password LetSysIn.

If the password does not work, you may try the backup username SSHAccess and password ciscosshaccess defined in the local database.Establish a SSH connecton: PC command prompt:
ssh -l ssh access (IP ADDRESS) username etc

Step 8: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch Router.

The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:

ISAKMP Phase1 Policy Parameters

ISAKMP Phase2 Policy Parameters

KeyDistributionMethod

ISAKMP

Parameters

CORPRouter

BranchRouter

EncryptionAlgorithm

AES

TransformSetName

VPN-SET

VPN-SET

NumberofBits

256

TransformSet

esp-3desesp-sha-hmac

esp-3desesp-sha-hmac

HashAlgorithm

SHA-1

PeerHostName

Branch

CORP

AuthenticationMethod

Pre-share

PeerIPAddress

198.133.219.2

209.165.200.226

KeyExchange

DH 2

Encrypted Network

209.165.200.240/28

198.133.219.32/27

IKESALifetime

86400

Crypto Map Name

VPN-MAP

VPN-MAP

ISAKMP Key

Vpnpass10 1

SAEstablishment

ipsec-isakmp

ipsec-isakmp

a. Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31

This is the right solution. When traffic comes outside and ACL is aplied inbound, first of all it check the ACL if the trafic is permited to enter, then it checks the NAT table for current translations.

a. Configure an ACL (ACL 120) on the HQ router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).
b. Configure the ISAKMP Phase 1 properties on the HQ router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
c. Configure the ISAKMP Phase 2 properties on the HQ router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed.
d. Bind the VPN-MAP crypto map to the outgoing interface.
e. Configure IPsec parameters on the Branch router using the same parameters as on the HQ router. Note that interesting traffic is defined as the IP traffic from the two LANs.
f. Save the running-config, then reload both the HQ and Branch routers.
g. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Branch Admin PC to the DMZ Web Svr. On the Branch router, check that the packets are encrypted. To exit the FTP session, type quit.